This is a programme designed to assist users and employees to develop their understanding of their role into reducing information security breaches. This can be achieved through helping individual employees to understand the risks amongst cyber security and help identify potential attacks such as phishing emails.
The process of confirming the identify of an individual who is trying to access and use a computer system.
While an audit log is data from one application or system, an audit trial is a combination of multiple logs in which together track specific events or actions across a network.
Logs are stored from applications and systems which track all actions taking place. This can be extremely beneficial to security teams who can use this data for monitoring purposes and for forensic analysis in the event of a breach.
A series of events that take place in order to carry out an attack which can be analysed to identify the perpetrator if there is a pattern present.
An actor with malicious intentions who aims to exploit systems by taking control, disrupting, damaging, stealing or manipulating data/systems. Attackers can either be an individual or group (common example is ransomware groups) who are able to perform a series of attack tactics. Other Names: Threat Actors, Malicious Actor, Cyber Criminal, Hacker
An asset can take many forms, it can be hardware, software, data or any other valuable component within an IT environment.
A type of software that prevents a computer from being infected with viruses/malware by scanning, detecting and removing the malware. Also known as: Anti-Malware Software
A system will only permit specific connections which have been identified within a database or ‘list’. For example, the list can contain certain domain names, IP addresses or email addresses. Also: this can be known as a ‘White List’ and is the opposite of a Block List.
In cyber security, an alert is often an automated notification from your security systems to highlight an event which could impact the security of your organisation. Alerts are given a severity level which helps employees manage, analyse and respond. Examples of a security alert are unusual behaviour from a privileged account, a new login location, outbound network traffic abnormalities and configuration changes.
An acronym for assess, improve and maintain. Assess: Review and identify key security areas of risk. Seeking out opportunity for improvement and closing those security gaps. Improve: Driving improvement leveraging our expertise across the cyber security arena, through strategic consultancy and industry leading technology. Maintain: Services designed to assist with cyber security responsibilities. Maintain and mature existing controls with continuous improvement.
Most cyber attacks are by ‘chancers’ hitting a lot of targets and hoping to find a common vulnerability somewhere to exploit. Advanced Persistent Threats are more sophisticated attacks that are targeted using various attack vectors in a sustained attempt to compromise them. These are usually because the target has been identified as a high value target or are being specifically targeted for other reasons, i.e. political or revenge. They are usually orchestrated by organised groups who are highly motivated to breach your security.
This is a high-privilege login account which is permitted to carry out tasks such as software installation, system reconfiguration and management of all user accounts.
An Access Point is the device used to give LANs a wireless entry point. Most modern devices have wireless capabilities and end users tend to prefer wireless access to networks for the portability it offers. Historically slower than wired access, the speed of modern AP devices are now close enough to wired networks for most uses that wired connections are becoming obsolete. Though less secure than wired networks, especially older devices, APs can be easily linked to extend networks to a larger area for a fraction of the cost. There are two types of APs, fat and thin. The only difference is whether the device itself manages the interaction with connected devices or simply channels the traffic to a central control point for management. Also: Wireless Access Point (WAP)
Systems are configured in a way to only allow individuals and other systems access to functions they require to carry out their job/purpose. This is a fundamental component to cyber security and is one of the five technical control themes for the Cyber Essentials standard. Also: referred to as Least Privilege.
A framework implemented by a company detailing the procedures to take to maximise your businesses chance of survival subsequent to a business incident such as a cyber attack.
An attack method that attempts to overwhelm the target system into making mistakes, such as granting unauthorised access or simply breaking and preventing authorised access. They generally rely on coding gaps or errors in systems.
A type of attack that keeps trying different credentials until it finds a correct set. Brute Force Attacks are a basic form of attack with easy prevention methods, but due to their simple setup, especially when combined with a Password Dictionary, they are still commonly used.
A good defence technique is to lock accounts after a certain amount of incorrect login attempts and to use passwords with a good complexity.
Company policy that permits employees to use their own personal devices for work purposes.
When data, devices, networks or systems are accessed in an unauthorised manner after bypassing security mechanisms.
A boundary (or perimeter) device is any Internet facing device. This does not mean any device that can access the internet, but the last device traffic goes through before being exposed to the internet. Usually this would be a firewall or a router. However, systems can have multiple boundaries.
A group of individuals responsible for analysing systems and the design of new or improved security mechanisms to ensure safety and reduce the risk of attack.
A database or ‘list’ of domain names, IP addresses, email address, users etc that are banned from accessing a system.
The process of monitoring an employees systems behaviour to identify what behaviour is normal, so that security systems can alert individuals if they detect abnormal behaviour.
A backup is a copy of your systems that can be used if the current version fails or if the organisation falls victim to a cyber attack. A backup allows all content to be restored to a previous version, such as a time before a breach occurred. There are multiple types of backups including electronic version which can be stored on-prem or in the cloud and physical copies.
An unauthorised or covert method to access a system or application that bypasses normal authentication. While back doors can be used by developers to offer technical assistance, they are often used by malicious actors to access your device or personal data without your permissions. For example, malware can be used to give threat actors remote access to your systems.
A Content Access Security Broker (CASB) is a security tool that provides oversight and control over the data and applications used in a cloud environment. It acts as a gatekeeper between cloud service users and cloud applications, enabling organisations to extend the reach of their security policies beyond their own infrastructure. CASB manages and secures data through various methods such as encryption, tokenisation, and access control, helping to prevent unauthorised access, data breaches, and other security threats. This technology is crucial for enterprises that utilise cloud-based services and seek to maintain compliance with data protection regulations.
Boundary Firewalls and Internal Gateways, Secure Configurations, Access Controls, Malware Protect and Security Updates
Cyber Essentials and the Plus version follow the same guidelines, however the difference is that a certification body, such as Data Connect, will perform a technical audit to verify that you are up to the requirements of the standard.
Cyber Essentials is a government backed scheme (UK) that will help you protect your organisation, whatever its size, against a range of the most common cyber attacks. The self-assessment version gives you protection against a variety of the most common cyber attacks. There are five technical control themes that must be followed.
In line with the Computer Misuse Act (1990), a cyber incident is a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems.
An attempt to gain illegal access to a single or multiple computer or network. Launched by a cyber criminal, cyber attacks are able to destroy systems, steal data and disable computers. A cyber attack can be portrayed in a method of ways including malware, phishing, ransomware and denial of service as well as many other methods.
Cross Site Scripting is an attack method whereby the attacker has infected a website with malicious scripts onto an otherwise trusted site. Then, when a user enters information, for example payment details, this data is sent to the attacker.
Verifies and authenticate a user’s identity such as password or certification.
A method or system that an organisation uses to reduce a security threat.
A token of data embedded into a web page to allow for the owner of the site to track your progress.
The successful penetration into a system by a malicious actor.
An industry standard that gives each vulnerability a qualitative score of its severity, starting from 0 to 10. There are multiple versions to the scoring system with the most recent being CVSS v3. None: 0, Low: 0.1-3.9, Medium: 4-6.9, High: 7-8.9, Critical: 9-10. This is important in vulnerability management and Cyber Essentials as it indicates a method of prioritisation for patch management.
The method of using a network for remote servers hosted on the internet as opposed to using a local server or a personal computer.
An online service in which shared computers and storage resources can be accessed as a service. Resources can include software services, platforms and infrastructures.
Information that has not been encrypted.
The outcome of running a piece of text through a cipher.
Method of transforming text to an encrypted algorithm.
A group of protocols used to protect assets from unauthorised users. The method it used is one side sends a ‘challenge’ and the other side replies with a ‘response’. A prime example is an application questions a user for their password and the person responds with it.
Data Loss Prevention (DLP) refers to a set of tools and strategies used to identify, monitor, and protect sensitive data across an organisation. The purpose of DLP is to prevent unauthorised access, misuse, or transmission of critical information. This usually involves policies and technologies that help detect potential data breach or loss incidents and block them proactively. DLP solutions are crucial in guarding against both internal threats, such as accidental or malicious actions by employees, and external threats like cyber attacks. They typically function by classifying sensitive data, monitoring data access and usage, and ensuring encryption of critical information to secure it against unauthorised exposure.
DNS filtering is a network security mechanism that controls and blocks access to websites or services based on their domain names. It operates by intercepting DNS queries from devices within a network, and either allowing or blocking these queries based on predefined security policies or blacklists. This method is effective in preventing access to malicious, inappropriate, or unapproved websites, enhancing overall network security and compliance. DNS filtering is also utilised to enforce content restrictions in various environments like schools and workplaces.
This represents the amount of time that an attacker has access to an environment from the initial time they get in to when they are detected.
The digital information that is left behind from a user’s online activity is their ‘footprint’.
A DDoS attack goes further than a DoS attack as it uses multiple computers or machines to flood a targeted resource.
In the event of a severe security attack or outage, your DRP will focus on the technical aspects of getting your systems back up and running.
In order to improve your chances of preventing an attack it is good practice to employ several layers of protection. This means that if your outermost layer of security is breached, for example your perimeter, then there are several more different types of protection in place that would need to be breached before someone could access your systems.
This usually occurs when a service is overloaded with requests. As a result, legitimate users are denied access to resources or computer services.
A deny list is a mechanism that is used when looking at access controls and is used to block or ‘deny’ the listed entities from communicating with a computer, site or network.
Using a Decryption Algorithm will allow you to convert Cipher Text into Clear Text. It is the opposite of an Encryption Algorithm.
To decode a message into a form that can be read.
To ensure that sensitive information does not leave your systems, DLP software can be installed to prevent this. This can be done by scanning the content of outbound email or files being copied to a USB stick.
Data that is in continual storage such as hard disks, removable media or backups is described as data at rest.
When a vulnerability is taken advantage of to cause intended consequences.
In terms of security, an event is something that is interesting that you believe is worth recording for later reference or reporting.
An ethical hacker is a security expert who, with the authorisation of an organisation, penetrates their computer system, network, application or other computing resource to uncover potential vulnerabilities that could be exploited by a malicious hacker.
These are your smartphones, laptops and tablets that connect to your organisation’s network.
This is the mathematical formula that is used to encrypt data.
To encrypt information is to make it unreadable to all except for those with the key to decode it.
This is the process of filtering outbound network traffic in order to prevent internal data from leaving the organisation’s systems.
FWaaS is a cloud-based security service that provides firewall protection. It offers advanced security features comparable to a traditional Next-Generation Firewall (NGFW) but delivered as a service. FWaaS solutions typically include:
By leveraging FWaaS, organisations can benefit from enhanced security, reduced management overhead, and increased agility.
Investigating and analysing cyber attacks, while also preserving the evidence.
This is the software that drives the core operation of a computer or network device. This part of the system is less often upgraded because it generally means there will be some downtime.
A firewall can be hardware or software that prevents unauthorised access to or from a network by defining a rule set to constrain network traffic, commonly between a private LAN and the internet.
This refers to a system that has multiple layers of security based on how data sets are processed and stored.
A cyber security gap analysis helps organisations determine where they are currently in terms of their cyber and information security. Having a gap analysis can provide some clarity as to how far you are from achieving industry standards such as ISO 27001 or Cyber Essentials certification.
This is the lack of action or unintentional action made by users or employees that can cause, spread or permit a cyber attack.
This is an example of defence in depth and is an added layer of protection against attackers. It is typically run on servers, identifying and blocking attempts of intrusion that have managed to get through the firewall.
Honeypots are systems, usually websites, that do not contain any sensitive data, but are designed to attract attackers.
Identity management in cyber security refers to the framework of policies and technologies for ensuring that the proper people in an organisation have the appropriate access to technology resources. It involves the identification, authentication, and authorisation of users and entities by evaluating user login information like usernames, credentials, and security tokens. Identity management systems help secure sensitive data by regulating both user and device access while ensuring compliance with policies and regulations that reduce the risk of data breaches.
A security measure for IP networks, often used for VPN connections.
This goes a step further than an Intrusion Prevention System by attempting to stop the attack, potentially by automatically disabling a network connection.
Software that monitors, identifies and attempts to break into a system.
Refers to web server that is not available from the internet and instead is completely internal to your organisation.
IPs are used by devices to communicate with each other on the internet.
This refers to everyday objects that have the ability to connect to the internet, such as televisions and fridges.
This is the network that connects the internal systems of an organisation together.
Internal vulnerability scans identify at risk systems and can assist an organisation in prioritising their patch management processes.
This refers to intangible concepts in the context of who owns it, for example, patents, trademarks and copyrights.
How honestly or correct the data is. An attack on data integrity would render that data useless as it has been corrupted.
Legitimate users have privileged access to systems comes with a risk of potential damage, whether malicious or unintentional.
The threat of attack from within an organisation, such as an employee.
The distribution of information by systems or people as allowed by access rights configuration.
Protecting organisational data from theft or access from potential hackers.
A set of procedures that increases your chances of recovering from an incident which affects the business, such as a security breach.
An incident is the next level up from an event, when an unwanted or unplanned outcome has happened on the systems involved, such as malicious disruption or changes to a systems firmware, software or hardware without consent.
An Indicator of Compromise (IOC) is any behaviour that appears suspicious. They could be unexpected actions performed by programs or unusual end user activity. They work well when you have completed some baselining and find anomalies. They become the basis for which security analysts will begin their investigations with.
When an individual unknowingly sends sensitive information out of an organisations systems.
An attack tactic that interferes with communications that involves sending an array of signals to render a Wi-Fi network unusable and cause disruption to operations.
A Keylogger is a malicious piece of software that records a users input activity (usually from a keyboard) and reports it back to an attacker. This is one method of stealing a users credentials. The program is usually installed from a downloaded file or can also be a USB drive.
This is a method of cryptography and is a process where a ‘public key’ is exchanged between a sender and a receiver.
This is linked to cryptography and is a string of numbers or letters (the common case) linking to an encryption algorithm that is ciphered or need deciphering.
Malicious code in a computer system that is set to be activated when specific conditions are met, such as a date and time being reached.
A group of locally connected devices, forming their own system. For example, an office or your home environment. The security settings between these devices are typically lower than devices connecting over the internet which aids easier connectivity between the devices.
When the whole process of sending endpoint and receiving endpoint is encrypted.
Each user is given the lowest privileges possible on their account to allow them to carry out their job.
This type of authentication is a process where two parties in communication verify each other before a data exchange can take place. Also: known as two-way authentication
Multi-Level Security is a system used to classify the level of access users have based on their hierarchy to allow visibility to only the data they should be able to access.
The use of more than two different methods of identification.
Managed Detection and Response – A managed service that provides detection of malicious activity in an organisation’s network as well as rapid incident response to eliminate the threat and remediate the actions.
A Man in the Middle attack is an attack whereby an attacker has inserted themselves between two devices and is listening to, and usually copying, the traffic. The insertion method could be via software or hardware. Because the traffic is usually unaffected and still reaches its destination, meaning that attacks can be hard to spot.
Provides outsources monitoring and management of security systems or devices, including managed firewalls and vulnerability scanning.
Examples of malicious software are worms, viruses, trojans or any other code or content that causes a security problem within a system.
Software that the user wasn’t expecting and that they didn’t ask for that can do harm.
Malware that exploits applications such as word processor or spreadsheet software, otherwise known as macro languages.
Network segmentation is a strategy used in computing and networking to divide a network into multiple segments or subnetworks, each functioning as a separate network zone. This approach improves security, efficiency, and performance by restricting access, reducing congestion, and limiting the impact of potential security breaches. Network segmentation is often implemented using technologies such as firewalls, virtual LANs (VLANs), and other network management tools. The primary goal is to control traffic flow, enhance monitoring capabilities, and isolate network segments to contain any threats and prevent them from spreading across the entire network.
Where NAC is in use a network infrastructure will not allow a device to communicate with it until it has proven its identity and is up to date on the latest operating software and anti-malware software.
A network is a collection of two or more computers that are connected with the purpose of sharing resources.
A similar concept to a password, yet rather than using characters, private keys create digital signatures, which are often randomly generated long sequences to protect sensitive data. These private keys can be inserted into data to encrypt or decrypt information to make it either unreadable for other users, or readable for the intended user.
Security software installed onto an individual’s PC or other computer to control incoming and outgoing traffic.
Data and information that relates to a specific identifiable person. This can include surnames, phone numbers to IP addresses.
The regular process of identifying, deploying, downloading, and applying ‘updates’ to a system and application software. These updates are known as patches.
Applying updates to firmware or software to improve security and/or enhance functionality.
A software or operating system update to correct security vulnerabilities.
A type of access control technique to ensure data can only be accessed with the right credentials.
A word, phrase or sequence of characters used to authenticate access.
Proxies are used to make connections on behalf of another device. These are helpful in hiding your details from exposure, however, they are helpful for attackers for the same reason.
The active management of accounts with elevated privileges, such as IT or Management staff. It is a good practice to only use elevated accounts when necessary.
A tool used in the reconnaissance stage of an attack. The attacker scans an IP to discover if any vulnerable ports are open that are more prone to exploitation.
Remote Browser Isolation (RBI) is a cyber security technology that separates browsing activity from a user’s local network and device. By directing all active web content such as JavaScript, HTML, and video to a remote server, RBI executes the website interactions and only sends safely rendered information to the user’s device. This protective layer prevents potential threats from reaching the user’s local environment, thereby enhancing security while browsing potentially harmful or unknown websites.
The process of prioritising, assessing and executing appropriate risk controls to avoid cyber security breaches.
The process identifying, analysing and evaluating cyber security risks to ensure that time, efforts and resources are being allocated correctly.
Focuses upon an organisations ability to prevent, survive and recuperate from cyber security incidences.
Refers to portable data such as optical disks, external hard drives and flesh memory cards that can be added or removed from a device or network. These devices can spread malware between systems.
The capability of users to access a device or network from any site.
A type of data protection solution, recovery procedures are designed to address modern threats to enhance the security of systems and software.
Awareness training over time can become outdated. Therefore, training courses must adapt their training to real world experiences and knowledge to ensure that the teachings reflect current and modernised issues.
A collection of exploit tools maliciously installed onto a system to aid an attacker implement an attack.
These type of attacks monitor traffic and then send back into the system some very similar traffic. The intention is to upset the system into breaking or giving unauthorised access.
SDWAN is a technology that manages and optimises the performance of a wide area network (WAN) by leveraging software-defined networking (SDN) principles. This approach allows businesses to route traffic through a centralised control function, improving efficiency, enhancing connectivity between different geographical locations, and ensuring optimal performance for critical applications. SDWAN enables organisations to lower operational costs, gain increased flexibility, and enhance their network security measures. This makes it an ideal choice for companies looking to manage more complex networking environments or those with extensive multi-site operations.
A Secure Web Gateway (SWG) is a security solution designed to regulate and monitor all outgoing and incoming network traffic to and from the internet, ensuring data security and compliance. SWGs protect organisations from online threats such as malware and cyber attacks by implementing policies that filter unwanted software and malicious websites. Additionally, they often include functionalities like URL filtering, malware detection, data loss prevention, and application controls to bolster web security. SWGs can be deployed as on-premises appliances, cloud services, or hybrid solutions.
Security Service Edge (SSE) is a framework designed to enhance cyber security by protecting data and applications at the network edge. This approach shifts security measures closer to where data access occurs, facilitating real-time threat detection and responsive defences. SSE represents a dynamic step toward more robust, adaptable cyber security solutions in a digitally-driven world.
SASE is a cloud-native security model that combines comprehensive networking and security functions into a single, integrated service. This architecture simplifies the IT environment by delivering both network connectivity and security from a unified platform, facilitating secure and efficient access for users anywhere. SASE is particularly effective for businesses embracing remote work and a zero-trust security approach.
Any unwanted or unsolicited messages that generally get sent out in bulk. Spam can be received through emails, text messages and social media.
Manipulating people into carrying out specific actions, or divulging information, that’s of use to an attacker.
A amalgamation of the words ‘phishing’ and ‘SMS’ in which mobile phone text messages are sent by an attacker with the hopes of obtaining sensitive information.
Whilst connected to a VPN it isn’t always necessary that all the traffic goes through it. In this instance you would employ split tunnelling to save on bandwidth and increase response time for traffic that doesn’t go through the VPN connection.
A security platform which collects and displays information about a system searching for IOTs and reporting them to a Cyber Security Analyst for further inspection.
Using a computer, cut off from accessing the system, to actively run suspicious software to see how it behaves. Watching malicious software implement can help bolster defence techniques against other and new incoming attacks.
An access management strategy, the tool involves requiring a secondary form of identification to allow access to sensitive information.
Inspired by the Trojan Horse story, trojan in cyber security is a malware disguised as a legitimate software. The fake malware is designed to fool a user into thinking that it is a secure file.
The process of assessing an organisations already existing cyber security measures to identify potential threats and vulnerabilities.
A method of gaining access into a system that bypasses the usual authentication steps. Programmers sometimes use these when designing a system to save time accessing them, but they obviously are a major security risk so should not be used in live systems.
Also: known as Backdoor
A secure connection to a system used to link individual users or whole networks together to aid efficient collaboration.
A malware computer program that spreads to other machines by replicating itself and sending copies of itself using vulnerabilities in those other machines.
This can refer to the amount of time a network, applications, system or company has been exposed to before being fixed or remediated.
A software-based firewall that is built directly into layer 7 of the OSI model. They protect on the HTTP level and are therefore used in addition to tradition firewalls and not meant as a replacement.
Zero Trust Network Architecture (ZTNA) is a cyber security model that operates on the principle of “never trust, always verify.” Unlike traditional security frameworks, ZTNA doesn’t grant access based on location within a network; instead, it rigorously verifies every user and device’s identity and security posture before allowing access to resources. This approach enhances network defence by minimising the risk of data breaches and elevating oversight and control. ZTNA enhances an organisation’s security measures and positions it better against evolving cyber threats.
A new attack on a computer system which exploits a vulnerability, yet the software or anti-malware vendor is not aware of.
Recently discovered vulnerabilities not yet known to vendors or antivirus companies, that hackers can exploit. The term zero-day comes from the concept that vendors must have ‘zero days’ to fix the issue.